What’s New in Private Packagist, November Update
We've shipped several important updates to Private Packagist over the past three months, including more insights on the package usage tracking page, the introduction of Trusted Publishing for secure artifact deployment, and enhanced security and audit controls. Here are the highlights from our latest round of product improvements.
More Package Insights on the Usage Tracking page
We've enhanced the package usage tracking page to provide more comprehensive information about your dependencies and their relationships. The package usage page now displays which specific package versions are affected by security advisories, helping you quickly identify and address vulnerabilities.
Additionally, you can now see whether packages are used as direct dependencies or transitive dependencies, giving you better visibility into how security issues might cascade through your projects. These enhancements make it easier to prioritize security updates and understand the full impact of vulnerable dependencies across your codebase.
Trusted Publishing: Secure Artifact Deployment Without Credentials
One of our most significant additions is support for Trusted Publishing, which allows you to publish artifact packages directly from GitHub Actions without the need for long-lived API credentials. Instead of configuring secrets in your workflows, you can now establish a trust relationship between Private Packagist and your CI service. During each CI run to publish artifacts, an OpenID Connect (OIDC) token is generated and exchanged for a short-lived API token with limited scope.
Streamlined Synchronization Setup and Bitbucket API token Support
Setting up synchronizations with GitHub, GitLab, or Bitbucket has been redesigned with a guided step-by-step process. The new workflow features clear navigation and progress indicators, making it much easier to connect your organization to your code hosting platform.
We've also added support for Bitbucket API tokens to Bitbucket Cloud (bitbucket.org) workspace synchronizations, moving away from the deprecated app password system. This change ensures continued compatibility with Bitbucket while providing enhanced security and more granular permission controls.
Better Security and Audit Controls
We've implemented several security enhancements to improve account protection and audit capabilities. API credentials and trusted publishing entries now display creation timestamps and the user who added them, providing crucial visibility into who has access to your organization's resources and when that access was granted. For historical transparency, older entries show the user as "unknown," while deleted users are clearly marked as "deleted user" for newly created entries.
We've also expanded our organization logging to capture when package access is granted to or revoked from teams. This makes it easier to track access modifications, investigate security incidents, and maintain compliance with your organization's security policies.
Additionally, we've also improved credential management. When you add a package by URL with HTTP authentication, Private Packagist automatically creates and assigns the appropriate credentials to the package and removes the credentials from the URL to avoid accidental leaks.
Improved package commands and PHP extension information
We've implemented numerous quality-of-life improvements based on user feedback. The require commands shown on package pages now match those on packagist.org, including helpful suggestions like using PIE for PHP extension packages and the --dev flag for development versions. PHP extension packages also display additional metadata such as compatible operating systems and configure flags.
These updates represent just a selection of the improvements we've made. For a complete list of all changes, bug fixes, and minor enhancements from the past three months, please check our complete changelog. If you have any questions about these features or need assistance with implementation, our support team is always ready to help.